Login

Private Pages with PHP and Text Files

You run a website that is simple enough it doesn’t require a database. But your site features certain pages to which you’d like to limit access. Most of the time, that implies using a database to store passwords and usernames. There is an easier way, however. It’s less secure, but it involves a lot less coding. A downloadable file for this article is available here.

If you’re using a database with your web application, you already have somewhere to store passwords and usernames, and a method for authenticating visitors. But what do you do if the complexity or security requirements of your site don’t warrant the use of a database? There may be times when you want certain pages or areas of your site to be viewable by only particular people. A very simple way of doing this involves using a text file with a password stored in it and creating a page that prompts the visitor to enter a password; if the password matches what is stored in the text file, the user is allowed access to the restricted page, but if it doesn’t, an appropriate message can be displayed before refreshing the start page.

For further security, you can also encrypt the password that is stored in the text file with a one-way hash so that if the contents of it are discovered somehow, it will still be very difficult to ascertain. All of this can be done with methods built into PHP. It takes surprisingly little code.

Before getting started, you’ll need an environment to test and work with PHP in, so you’ll need to have a web server installed and configured for PHP. Apache works well with PHP and is easily installed and configured, so I’d recommend using this set up.

First of all then, you need a page to hold the text box that will receive the password from the visitor and the submit button to send it to your PHP file. This can be a new page or part of an existing page on your site, whatever you think best. A block of code as simple as the following should suffice:

Next, you need to create the main PHP page that will do the real work. With a blank page in a text editor, open a PHP block in the standard way:

<?

As I mentioned before, PHP has a standard set of functions and methods used for working with files. The main ones that we will need are the fopen(), fread() and fclose() functions. To do anything with a file, we need to open it, and clearly, this is done using the fopen() function. We need to specify what we intend to do the file; read it, read and write to it are the most common tasks, but additional flags can be used to tell the program whether to place the file pointer at the beginning or end of the file and whether to create the file if it does not already exist. All we are going to need to do for this example, however, is open the text file containing the password for reading.

First then, create a variable that specifies the path to the text file:

$fileloc = “/apachesite/docs/pass.txt”

Next, create a variable to hold the file pointer:

$filetoread = fopen($fileloc, “r”) or die(“Could not open password file”);

You can also use the die method to end the script and print an appropriate message on screen if the operation fails for some reason. Once the file has been opened, you’ll need to read the contents of it so that it can be compared to the input from the password form:

You set a variable to hold the data from the file and call the fread() method which takes two parameters: the file pointer and the length of the file. You may or may not know the length of your password. For future programming ease (when the password needs to be changed) you can use the filesize() method to just grab it all. As soon the file is no longer needed, it should be closed:

fclose($filetoread);

{mospagebreak title=Using the Password}

To use the password entered into the html form, you need to obtain it and store it in a variable. As we used the POST method to send the user input to the PHP script, we can use $_POST to get the entered password:

$password = $_POST[“password”];

We can then simply compare the entered password with the stored password and act accordingly:

The first if statement handles an empty $password variable in case the submit button is clicked when the input box is empty. The second statement executes the code within brackets if the password the user enters does not match the one that is stored, and outputs a message indicating that the password is wrong. Finally, if either of the first two conditions are not met, the script concludes that the password must be correct and sends a redirect header to the browser telling it to open the secure HTML page.

Before this will work, you’ll need to create a text file and place it in the same directory as the PHP file. It will need to contain the password you intend to use in plain text for now, and should have the filename referenced in the PHP file. Save all of the files, open the HTML page in a browser and experiment with the form. The page should work as intended.

When you enter the correct password, if you get an error message saying:

it means that you need to switch output-buffering to “on” in the php.ini file that is found in your Windows directory.

{mospagebreak title=Encryption}

Now, somewhere on the first page I mentioned encryption. PHP has some handy MD5 methods built into it, so we can very easily make use of those to convert the password entered by the visitor before it’s compared with the stored password.

MD5 is a one-way hashing algorithm, which means that the password can be encrypted in only one way – from plain text to encrypted text. It is impossible to go the other way. This doesn’t make it impossible to break. It’s susceptible to brute force or dictionary attacks and substantial time periods, but it’s still pretty secure. Add the following line after the $password declaration:

$md5password = (md5($password));

This saves an encrypted version of what is entered into the text field in the variable $md5password. Now you need to modify your if statement so that it compares the stored password to the new encrypted password:

As you can see, we have only changed the variable in the elseif part of the statement. This is because even an empty input variable hashes to a 32 digit value, so the $md5variable is never going to be empty, even if the submit button is clicked before any text has been entered into the input field.

All you need to do now is find out the hash is of the password you intend to store in the pass.txt file. To achieve this, you can comment out the entire if statement and add an echo statement that displays the encrypted password on screen. You can then copy the encrypted string and save it in the password file. You must remember to uncomment the if statement and remove the echo call before using the script, however.

As far as the bare-bones script goes, that is pretty much it. As far as the test files go, its pretty basic, but the HTML page can easily be incorporated into an existing page; you could stick it in a box and style it to match the rest of your homepage to improve that aspect of it, and you could probably include a timing function that waits for a set period of time before redirecting the visitor to the secure page, while displaying a message that the password was correct. You could also include a similar set of functions for reloading the initial page after displaying the appropriate error message for a brief period without too much difficulty.

You can use the script to restrict access to specific pages within your site’s structure. It doesn’t offer the security of the username/password authentication methods afforded by a database, and it means that you have to give the password to whoever you want to access the secure pages, but it offers a simple layer of security with a minimum amount of time and code.